Anthropic has accused Alibaba of obtaining “illicit” access to Claude, alleging that the Chinese ecommerce giant used fake accounts to probe the chatbot’s capabilities in ways that went beyond normal, authorized use. The dispute, which Anthropic frames as an attempt to “extract” what Claude can do, is the latest flashpoint in a growing conflict over how powerful AI systems are tested, accessed, and protected—especially as major companies race to benchmark models, replicate performance, and integrate AI into products at scale.
At the center of Anthropic’s claim is not simply that Alibaba interacted with Claude, but how it did so. According to Anthropic, Alibaba allegedly created or used accounts that were not genuine in order to bypass safeguards and repeatedly query the system. The purpose, Anthropic says, was to stress-test and harvest capabilities—effectively learning the boundaries of Claude’s behavior and using that information to replicate aspects of its performance. In other words, Anthropic argues this was not routine evaluation conducted through legitimate channels, but a method designed to gather intelligence about the model’s outputs and constraints.
Alibaba disputes the allegations. The company says it did not act improperly and characterizes its activity differently, suggesting that its approach should be understood as testing rather than exploitation. That disagreement matters because the line between legitimate experimentation and misuse is often blurry in practice. Companies routinely evaluate AI systems by running large numbers of prompts, comparing responses, and measuring quality across tasks. But when testing involves deception—such as fake identities—or when it appears designed to circumvent protections, the activity can shift from benchmarking into something closer to capability extraction.
This is where the story becomes more than a corporate spat. The question Anthropic is raising is fundamentally about governance: who gets to interact with frontier models, under what conditions, and with what safeguards? As AI adoption accelerates, the “how” of access is becoming as important as the “what.” A model’s performance can be measured in public benchmarks, but many of the most valuable insights come from observing how a system behaves under different prompting strategies, adversarial inputs, and edge cases. Those observations can then be used to improve internal systems, train competitors, or build tools that mimic the user experience—even without directly copying the model.
Capability extraction is a term that has circulated in AI security discussions for years, but it has gained new urgency as commercial models become widely accessible through chat interfaces. Unlike traditional software, where access is typically controlled through APIs with clear terms and rate limits, chatbots can be queried in ways that resemble interactive exploration. If a model is accessible to the public, then a determined actor may attempt to learn its behavior by systematically probing it. The challenge for providers is that the same mechanism—repeated querying—can be both legitimate and harmful depending on intent, identity, and whether safeguards are being bypassed.
Anthropic’s allegation suggests that Alibaba’s approach crossed those lines. Using fake accounts, Anthropic claims, would allow an actor to multiply access, evade throttling, and disguise the true scale of probing. Even if each individual query seems harmless, the aggregate effect can be significant: thousands or millions of interactions can reveal patterns about what the model will do, what it refuses, how it handles ambiguous instructions, and how it responds to attempts to elicit restricted content. Over time, those patterns can be used to build a substitute system or to guide the training of another model toward similar behaviors.
From a provider’s perspective, this is not just about protecting proprietary technology in the narrow sense. It’s also about protecting the integrity of safety systems. Many safety measures rely on the assumption that users are real, identifiable, and operating within reasonable bounds. When an actor uses fake accounts, it undermines that assumption. It also complicates enforcement: if the provider cannot reliably distinguish legitimate users from automated or deceptive probing, then the safety layer becomes harder to calibrate.
For Alibaba, the dispute likely hinges on intent and characterization. Testing can be legitimate even when it is extensive. Companies may run large-scale evaluations to understand model strengths and weaknesses, especially if they plan to offer AI services to customers or integrate AI into their own platforms. They may also test robustness by trying prompts that push the system toward failure modes. The key difference, however, is whether the testing is conducted transparently and within agreed terms, and whether it involves deception or circumvention.
This is why the details of “fake accounts” matter. Fake accounts are not merely a technical detail; they are a signal of intent and a method of bypassing controls. If Anthropic’s account is accurate, then Alibaba’s actions would represent a deliberate attempt to defeat the provider’s access management. If Alibaba’s account is accurate, then Anthropic may be interpreting ordinary evaluation practices as illicit extraction. Either way, the dispute highlights a structural problem: the current ecosystem often lacks clear, enforceable standards for what constitutes acceptable probing of frontier models.
The broader AI industry has been wrestling with these issues for some time, but the stakes have risen. Frontier models are increasingly treated as strategic assets, and the ability to observe their behavior can confer competitive advantage. At the same time, the public-facing nature of many chatbots means that providers must balance openness with protection. Too much restriction can slow research and innovation; too little can invite exploitation.
There is also a geopolitical dimension. Alibaba is a major technology company operating in a different regulatory environment than Anthropic, and the global AI market is shaped by differing approaches to data governance, security, and compliance. When disputes arise between companies across jurisdictions, they often become proxies for larger questions about trust and accountability. Even if the immediate issue is technical—how accounts were used and how queries were made—the narrative quickly expands into a debate about whether certain actors are willing to follow the spirit of AI safety and access rules.
What makes this case particularly interesting is that it reflects a shift in how AI competition is happening. For years, the race was framed primarily around model quality: benchmarks, parameter counts, and training innovations. But as models become more capable and more expensive to train, the competitive landscape increasingly includes “model behavior intelligence”—the ability to learn how a system responds, then reproduce that behavior in other ways. That can mean building a competing model, but it can also mean creating wrappers, prompt strategies, retrieval systems, or fine-tuned assistants that deliver similar outcomes. Capability extraction sits at the intersection of these approaches.
In practical terms, if an actor can map a model’s behavior effectively, it can reduce uncertainty. It can anticipate how the model will respond to certain categories of requests, how it will handle policy boundaries, and how it will behave when asked to perform tasks that require reasoning, formatting, or tool-like outputs. Even if the extracted knowledge does not directly copy the model, it can still be used to improve downstream systems. That is why providers treat large-scale probing as a potential threat even when no explicit data theft occurs.
Another angle is the role of terms of service and contractual access. Many AI providers offer models under specific usage policies that restrict automated scraping, reverse engineering, or high-volume probing. If Anthropic believes Alibaba violated those terms, then the dispute is not only about technical behavior but also about legal and contractual compliance. Alibaba’s response, therefore, likely addresses both the factual claims and the interpretation of what its activity constituted under those policies.
The story also underscores how difficult it is to police AI systems purely through technical means. Rate limits, bot detection, and monitoring can help, but sophisticated actors can adapt. If fake accounts are used, then identity-based controls become less effective. Providers can tighten verification, but that can degrade user experience and raise barriers for legitimate researchers. The industry is moving toward stronger authentication and more robust monitoring, yet there is no universal solution that satisfies both openness and security.
For users, the implications may feel distant, but they are not. When providers tighten access to prevent extraction, it can affect availability, responsiveness, and the ability of legitimate developers to test features. Conversely, if providers do not tighten controls, the risk is that malicious actors gain insight into model behavior and potentially use it to create systems that bypass safety constraints. That could lead to more sophisticated misuse, including attempts to generate disallowed content or to craft prompts that exploit weaknesses in safety filters.
Anthropic’s accusation, if substantiated, would also raise questions about how companies should conduct evaluations of third-party models. There is a difference between evaluating a model for research and attempting to replicate it through systematic probing. The former can often be done through approved channels, while the latter may require access agreements, licensing, or direct collaboration. The industry may need clearer norms—possibly even standardized frameworks—for how model evaluation should be performed when the model is not open source.
One unique takeaway from this dispute is that it reframes “benchmarking” as a contested concept. Benchmarking is often portrayed as neutral measurement. But in the context of closed or semi-closed models, benchmarking can become a form of intelligence gathering. The more a model resembles a black box, the more probing can reveal. That means the ethical and legal status of evaluation depends not only on what is measured, but on how it is measured and whether the provider consents to that method.
It also invites a deeper look at what “capabilities” means in AI systems. Capabilities are not just raw accuracy on tasks; they include style, refusal behavior, reasoning patterns, and the ability to follow complex instructions. Extracting those capabilities through repeated interaction can be seen as extracting a kind of behavioral signature. That signature can then be used to train or tune other systems to approximate the original experience. In that sense, the dispute is about more than access—it is about the transfer of behavioral knowledge without permission.
If the allegations are correct, the use of fake accounts would be a deliberate attempt to accelerate that transfer. It would allow the actor to gather more data than a normal user could, and to do so while obscuring the true identity and scale of the activity. That is precisely the kind of behavior providers want to prevent because it turns a model’s interface into a data collection pipeline.
At the same time, it is worth noting that the AI